to Trillian

Home Web questions

SSL / Security Question

drew's Avatar

drew

29 Jun, 2012 05:07 PM

I recently switched to Trillian's web IM client and had a quick question about the security. I noticed I cannot choose to use SSL (https) when accessing the client and all communication with the trillian service is over http. I see the message data appears to be encrypted. I was wondering if you could speak to the security of this? What type of encryption is used to secure messages and other information in transit to/from my computer to trillian servers? Is it easy to hijack my IM session since presumably any session token or identifier associating by browser with my chat session is sent in the clear? Is there any preference to enable HTTPS?

Thanks.

  1. Support Staff 2 Posted by Scott Werndorfer on 30 Jun, 2012 01:03 AM

    Scott Werndorfer's Avatar

    Hi Drew - right now SSL is only used for your initial login and any subsequent request that requires transmission of a password. While your HTTP-based traffic can be read by a third party, session hijacking is protected by use of HMACs, the key for which is a nonce transmitted over SSL during your initial login. Replay attacks are also prevented by our protocol's native use of sequence numbers, such that anyone watching traffic over the wire replaying a particular message can only receive the same response your client already received. That being said, the next iteration of our server technology will support a pure SSL mode and we'll be making this mode the default behavior for all clients moving forward. I hope this helps!

  2. 3 Posted by drew on 30 Jun, 2012 01:11 AM

    drew's Avatar

    Thanks for the good explanation and answer. It sounds sufficient and I feel more secure in using the web IM client now that I know some of those facts.

  3. 4 Posted by James on 18 Dec, 2012 04:28 PM

    James's Avatar

    Has this SSL mode been implemented yet?

  4. Support Staff 5 Posted by Kevin Kurtz on 02 Jan, 2013 03:01 PM

    Kevin Kurtz's Avatar

    James,

    Unfortunately we have not yet updated the web version to do full ssl for all messages. However we have updated the servers to support it and plan on updating it within the next few weeks (if not sooner).

    Sorry for the delay.

    -Kevin

  5. 6 Posted by James on 06 Jan, 2013 06:46 PM

    James's Avatar

    Ok, I'll keep an eye out for it. Thanks so much for your response, Kevin!

  6. Support Staff 7 Posted by Kevin Kurtz on 21 Jan, 2013 09:30 PM

    Kevin Kurtz's Avatar

    We have updated the Trillian for Web client to use all SSL. Look at the bottom right for version 2.0.0.622.

    -Kevin

  7. 8 Posted by James on 26 Jan, 2013 07:08 PM

    James's Avatar

    Awesome! Thanks for the update Kevin.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

5 people watching.

  • New Issue

  • Conversation Started

    A conversation has been started with the Trillian staff to resolve this discussion.

  • Close the discussion

Recent Discussions

20 May, 2013 12:06 AM Not able to buy trillian as a gift
18 Dec, 2012 08:40 PM Log files
19 May, 2013 07:48 PM No subject
19 May, 2013 06:26 PM Add Support for starting a new Google Hangout
19 May, 2013 04:53 PM Yahoo account login

Recent Articles

How To: Delete Your Trillian Account
Disconnecting; Won't connect after update
10061 error
10060 error
Expired password